GHSA-cxrh-j4jr-qwg3: undici Denial of Service attack via bad certificate data

Skip to content

Navigation Menu

• • GitHub Copilot

    Write better code with AI

  • GitHub Advanced Security

    Find and fix vulnerabilities

  • Actions

    Automate any workflow

  • Codespaces

    Instant dev environments

  • Issues

    Plan and track work

  • Code Review

    Manage code changes

  • Discussions

    Collaborate outside of code

  • Code Search

    Find more, search less

• Explore

  • Learning Pathways
  • Events & Webinars
  • Ebooks & Whitepapers
  • Customer Stories
  • Partners
  • Executive Insights

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-47279

undici Denial of Service attack via bad certificate data

Low severity GitHub Reviewed Published May 15, 2025 in nodejs/undici • Updated May 15, 2025

Affected versions

< 5.29.0

>= 6.0.0, < 6.21.2

>= 7.0.0, < 7.5.0

Patched versions

5.29.0

6.21.2

7.5.0

Description

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in nodejs/undici#4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: nodejs/undici#3895

References

• GHSA-cxrh-j4jr-qwg3
• nodejs/undici#3895
• nodejs/undici#4088

Published to the GitHub Advisory Database

May 15, 2025

Last updated

May 15, 2025

EPSS score